With Google disclosing the POODLE vulnerability in SSL v3, we are now witnessing version 3’s last days. Unlike other SSL vulnerabilities, such as BEAST and LUCKY 13, POODLE has no patch or workaround—the v3 protocol itself is broken. Connections using CBC ciphers are insecure, enabling attackers to extract sensitive data from them.
In Google’s paper, their vulnerability researchers reveal how an attacker can extract data, ostensibly encrypted from SSL v3 connections using CBC ciphers. They also provide an example of how a real-world attack might take place, resulting in session cookies being stolen.
The bottom line is that attackers with access to client or server environments can manipulate clients to use insecure SSL v3 connections. They then use v3 weaknesses to extract sensitive data from the stream...Read more »